So you’ve gotten a website built, then what? In my career I have had the responsibility to clean up and disinfect many WordPress sites and it’s never a fun (or quick) job.
Rather than having to pay someone to clean up your website after an incident keep security front of mind with with these simple steps.
Keep everything up to date
Over a quarter of websites are using WordPress, which inevitably draws the attention of hackers and other nefarious nardowells. To keep them at bay WordPress (the company) is constantly releasing security updates, fixes and patches. Whenever an update is released we encourage you to update as soon as possible. You may think you have time, you can update next month, but think again. When WordPress releases updates they also release a list of issues they’ve fixed. This is essentially a list that every would-be hacker is able to check on out-of-date websites to find a way in.
Ditto with plugins. Keep on top of making sure your plugins are kept up to date. If a WordPress update is released you can expect most reputable and supported plugins will likely release updates shortly after. Remember that chain analogy? If you have a plugin that hasn’t been updated in a few months then that opens up a lot of potential vulnerability.
Give your passwords some spinach
I’m strong to the finish, ’cause I eats me Spinach, I’m Popeye the sailor man!Something some sailor once said
This one should go without saying, but we’re going to say it anyway. Make sure that users on your website are setting strong passwords, especially if they have access to the backend. A chain is only as strong as its weakest link, and if one of your admins’ password is “password” then your chain is worthless.
WordPress does give you an indication on strength when you set a password, but it doesn’t stop you from using one. To help this you can install a plugin to enforce strong passwords.
Pay attention to hosting
When it comes to hosting a lot of people look for the cheapest option, but there’s a lot more to consider. Find yourself a host that understands web security, keeps their servers maintained and up to date, and has good support.
For reference we use Ventra IP to host most of our new websites. We’ve been using them to host a few bigger sites in recent years and their service is top-notch, support is excellent, and are based in Melbourne.
Be username conscious
Whether you use surnames, full names or some other convention you should ensure you use something unique for your WordPress usernames.
For every lock, there is someone out there trying to pick it or break in.David Bernstein
Users with administrative abilities should never have the username ‘admin’, if for no other reason than a username/password pair is the key to accessing your website. If hackers try ‘admin’ and it works, they’re already halfway there. Not to mention users should generally not be shared so you can keep track of who does what in your site, and an ‘admin’ user could be anyone.
If you’d like an example, a client sent us this screenshot this morning. Less than a week after the launch of their new website there were already bots trying to access the backend with the username “admin”. If a developer delivers a website to you and the WordPress username is ‘admin’ then give them a smack.
Get an SSL certificate
An SSL certificate encrypts any data that you or your visitors send and receive through the website. Google recommends that you have one, as do all reputable web professionals. Many hosts will provide you with a free SSL certificate when you sign up, but if you need increased security you can always pay for a higher level certificate.
Use security plugins
There are a few security plugins available for WordPress, although we (and many other people) recommend WordFence. WordFence is capable of scanning your WordPress installation and checking for any security issues, including checking that plugin files haven’t been altered, there are no suspicious files lurking anywhere, and that your users are using secure passwords. It also includes a firewall, IP blocking, brute force defences, and other fancy security features that you probably wouldn’t have thought of.
Assign (or pay) someone to be on top of this
The point we’re getting at is that security isn’t something you do with a website when it launches, it’s something you need to keep maintained through the life of the website. If possible assign somebody within your organisation to be responsible for regularly checking everything on this list. If you don’t have the personel (or confidence, time or skills) to do this yourself, contract someone to do it for you. Many developers will have maintenance or security plans available and can take on the burden of ensuring your security is tip top.
If you’d like to chat with us about your website security or setting up a maintenance plan get in touch with us today 🙂